Re: SSL for login page only
From: mpes (mpes_at_community.nospam)
Date: Thu, 10 Mar 2005 15:40:00 +0100
Well I did not know that thing about credentials in HTTP headers. Of course
in such circumstances it does not make sense to SSL encode just initial
login. That would explain why I could not find any "How to do it" info on
Thanks a lot!
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> It's possible, but it's not a great idea. After a user logs in via basic
> authentication, the login credentials will be communicated to the server
> simple base64-encoded plaintext in the HTTP headers. If you allow this
> information to travel over HTTP, it will be as susceptible to theft by an
> eavesdropper as it was at the original login.
> "mpes" <firstname.lastname@example.org> wrote in message
> > Hi all,
> > My ASP.NET intranet web application uses windows authentication. It has
> > support both IE and Mozilla browsers so I am forced to allow Basic
> > Authentication for Mozilla users. Because of some intranet configuration
> > issues I cannot use the Digest Authentication.
> > I would like to protect the user name/password using SSL. But for
> > performance reason I want to protect just login, the rest of the
> > communication shouldn't use SSL.
> > What is the way of doing this? The application start page is
> > I tried:
> > 1. Set "Require SSL" for default.aspx page in IIS - result is that SSL
> > will
> > then be used for all pages
> > 2. Hook in Global.asax Application_BeginRequest and if the request is
> > for default.aspx I rewrite "https" request to "http" - that works and
> > switches the protocol, however with switching the protocol the web
> > fires the login window again (so the user has to type in the password
> > second
> > time and this time I believe it would travel in clear text)
> > Any other ideas? I searched internet quite extensively but could not
> > anything.
> > Thanks,
> > Martin